[Pkg-shadow-devel] acl, attr and selinux

Peter Vrabec pvrabec at redhat.com
Mon Nov 21 12:23:31 UTC 2011

Hi all,

On Thursday, November 17, 2011 11:53:32 PM Nicolas François wrote:
> Hi Peter,


> I have an issue with the following sequence:
>  * commonio_open
>    -> scontext is set to the /etc/shadow context
>  * No changes by the program
>  * commonio_close
>    -> goto success because there were no changes
>    -> setfscreatecon (NULL)
>       because we did not pass through getfscreatecon (&old_context)
> I would propose the attached patch. Is this fine?
> (I do not think there would really be issues because the shadow utils call
> close() shortly before exit())
> Other sequence with possible issue:
>  * no context associated to /etc/shadow
>    -> scontext set to NULL
>  * restricted file creation context set to the shadow util
>  => Can this happen?
>  => Should the file creation context be set to NULL before creating
>     /etc/<file>+
> Question regarding SELinux: The overall goal of scontext is to set
> the context of the temporary file /etc/shadow+ to the one of /etc/shadow.
> Is there a way to set this context in advance even if /etc/shadow did not
> exist (i.e. the context cannot be retrieved with fgetfilecon)?
> (does getfilecon provide a context even if the file does not exist?)
> Is it safe not to do it? Should the creation of /etc/shadow be forbidden
> in some cases to let the admin create the file correctly (with the right
> context)?

Frankly, I don't understand how this code works. I mean selinux stuff in 
lib/commonio.c. That's why I put our selinux crew on the copy.

fgetfilecon() in commonio_open() reads the SELinux context and store it into 
db->scontext. The stored context is freed in the end of  commonio_open(). What 
was it used for?

security_context_t old_context = NULL;
if (db->scontext != NULL) {
                        if (getfscreatecon (&old_context) < 0) {
                                goto fail;
                        if (setfscreatecon (db->scontext) < 0) {
                                goto fail;

db->scontext is always NULL, isn't it?

I'm afraid I'm missing something here. :)


More information about the Pkg-shadow-devel mailing list